Straight through vs Crossover cable
Hub Switch Router PC (Workstation)
Hub C C S S
Switch C C S S
Router S S C C
Workstation S S C C
Easy way:
- Switch, Hub - same category (let say cat1),
- All another devices - different category (let say cat2),
- Cross between devices within the same category (SW-SW, R-R, H-H, PC-PC, R-PC)
- Straight between different categories, device from cat1 and device from cat2 (SW-PC, H-R, SW-R, H-PC...)
CCNA Security Cheatsheet
LAB: port-security
The attacker was connected via a hub to the Fa0/12 interface of the switch.
The topology is provided for your use. The enable password of the switch is cisco.
Your task is to configure the Fa0/12 interface on the switch to limit the maximum number of MAC addresses that are allowed to access the port to two and to shutdown the interface when there is a violation.
Switch>enable
Password: cisco
Switch#show running-config
Switch#configure terminal
Switch(config)#interface fa0/12
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security maximum 2
Switch(config-if)#switchport port-security violation shutdown
Switch(config-if)#no shutdown
Switch(config-if)#end
Switch#show port-security interface fa0/12
Switch#copy running-config startup-config
LAB: NTP/ACL with CCP
1. Detect wihich interface is INSIDE and which is OUTSIDE: Configuration-> Interface Mgmt-> interfaces
2. Configure NTP : configure-> router-> time (put IP from description, not topology map)
3. Create ACL with 2 ACE
4. Associate ACL to correct interface
5. Allow CCP to add entry rule to allow NTP traffic
6. Check "Save running config to startup config" box and press DELIVER button
7. Check ACL (will have 3 ACEs)
Remarks:
** In the CCP lab, it doesn’t have option to send the configuration to the router. Just configure the following and you’ll be OK.
** On GNS3/CCP we have NTP with the port 123. On the exam sim we have only NTP(119) to choose.
** NAT Address Assigned By ACL1 means the IP facing outside network, not the inside subnet.
General
- Cisco Defence in Depth
Implement Threat Mitigation - multi layer network defences ASA/Firewalls, NIPS, HIPS (Cisco Security Agent), Out of Band management.
- Cisco Self-Defending Network – A suite of security solutions to identify threats, prevent threats and adapt to emerging threats to achieve a "Secure Network Platform". It consists of two key components, Cisco Security Manager and Mars (Monitoring, Analysis and Response System) to monitor and control network security devices and tools such as IOS & ASA firewalls, IPS sensors, NAC & Cisco Security Agent.
CCP
- Three security audit tools: 1.Cisco AutoSecure (IOS CLI), 2.Security Audit wizard (GUI CCP), 3.One-Step Lockdown (GUI CCP)
Both GUI tools: Security Audit Wizard and One-Step Lockdown are based on the Cisco IOS AutoSecure feature.
- Security Audit Wizard: display a screen with fix-it check boxes, requires first to identify router interfaces to inside and outside network
CCP-MENU
- Protocols from Cisco CLASS-MAP inspection:
CONFIGURE -> SECURITY -> FIREWALL -> FIREWALL -> EDIT FIREWALL POLICY -> Select and edit SERVICE (= Class Map)
or CONFIGURE -> SECURITY -> C3PL -> CLASS MAP -> INSPECTION -> select cleass map
- ZBF: Zone-pair <-> assigned policies
CONFIGURE -> SECURITY -> FIREWALL -> FIREWALL COMPONENTS -> ZONE PAIRS -> Select zone pair (tab POLICY)
- NETWORK OBJECTS
CONFIGURE -> ROUTER -> ACL -> OBJECT GROUPS -> NETWORK OBJECT GROUPS
- ACL/NAT
CONFIGURE -> ROUTER -> ACL -> NAT Rules (down is ACTION for selected ACL)
- CLASS-MAP
CONFIGURE -> SECURITY -> FIREWALL -> FIREWALL -> EDIT FIREWALL POLICY -> Select and edit SERVICE (= Class Map)
- Which CLASS-MAP is used by the INBOUND Rule?
CONFIGURE -> ROUTER -> ACL -> Firewall Rule (There you see the INBOUND Rule)
VPNs CCP
- Site-to-Site: conf->security-> vpn -> site-to-site VPN-> step-by-step wizard
1. [no defaults ] select Interface, Peer IP, PSK (pre-shared key) or Digital Certificate
2. [has defaults] IKE policy (hagle) and transform-set (IPsec policy)
3. [no defaults ] Traffic to protect (interested traffic): ACL or Networks (Local and Remote)
- VPN : Sender encrypts with public key of receiver, receiver decrypt with receiver private key
- VPN SSL: clientless (portal), thin client (java), full client (anyconnect)
- VPN between ASA<->Cisco-ISR : IPSec site-to-site, IPSec client remote-acess, SSL full-tunnel, SSL clientless
L2 Security
- Native VLANS on trunks - should never be used anywhere
- STP: prevents L2 loops
- CAM OVERFLOW: cause switch to become hub (flood all traffic to all ports)
- VLAN Hopping countermeasure: disable DTP (disable trunk auto negotiation "switchport nonegotiate"), configure an unused VLAN as NATIVE VLAN
- MAC Spoofing countermeasure: interface port-security
- blended threat: zero-day and trojan attacks
AAA
- common examples: authenticate remote users, authenticate admins to console/vty/aux, authoriz using TACACS+
- log terminal session: aaa accounting EXEC start-stop tacacs+
ACL
- ACL: more specific entries at top, if applied empty ACL-traffic passes
- ACL: processed from top to down
- ACL configure PORT number ONLY with 'tcp' not 'ip' option
- ACLs only filter passing through router traffic (not filter router generated traffic)
- IOS ACL uses wildcard (0.0.1.255), ASA ACL uses subnet mask (netmask 255.255.254.0)
IDS/IPS
- IPS disabled signatures: still consume router resources
- IPS signature will generate action on attack if: enabled, unretired and successfully compiled
- IPS RISK RATING (max=100 points, most severe): used to improve accuracy of detection and responding of incidents (reduce noise)
- IPS primary technology: signature-based prevention
- CCP pull IPS alerts from Cisco Router with SDEE and HTTPS
- Cisco IOS IPS uses Cisco IPS 5.x signature format (includes: SIGNATURE RISK RATING and ECRYPTED SIGNATURE PARAMETERS)
- Cisco IOS IPS uses underlying routing infrastructure (as aditional security)
FIREWALLS
- STATEFULL Firewall: allow dynamic modification of rules for returning traffic
- STATEFULL Firewall: cannot detect application-layer (L7) attacks
- STATEFULL Firewall: keep stateful session table: src/dst IP, PORTs, TCP seq, TCP/UDP flags associated with session
- STATIC Firewall: can permit/deny - IP/PROTOCOL/PORT
- Application (Layer7) Firewall: can authenticate individuals, make DoS attack difficult
- ZBF actions: pass (permit), drop (deny), inspect (statefull firewall)
- ASA security levels: 0 (outside-most untrunsted) < 1-99 (DMZ) < 100 (inside-most trusted)
Traffic is permited only as arrows shows
SYSLOG Levels
- 0 Emergencies
- 1 Alert
- 2 Critical
- 3 Error
- 4 Warning
- 5 Notification
- 6 Information
- 7 Debug
IOS security
- SECURE BOOT CONFIG : take snapshot of RUNNING config and securely archive it in persistent storage
- SECURE BOOT IMAGE : enables IOS image resilience
- SECURE BOOT IMAGE (IOS image resilience): IOS image is not visible in the SHOW FLASH output
- SHOW SECURE BOOTSET: verify if IOS image and config have been backupd up and secured
- NO SERVICE PASSWORD_RECOVERY: will disable ROMMON
- enable secret LEVEL 5 password : accessing EXEC privilege level 5
Role-Based CLI
- AAA NEW-MODEL - before any config
- after aaa new-model is enabled Router1>enable view (enable root view) and set some view
- 3 types: root-view(same acces as privilege 15) / cli-view(one or more commands) / superview(=one or more clie-views)
CCNA Cheatsheet
Download as Doc File - http://db.tt/VyWlVMV9
Switching
- Native VLAN missmatch (show interface trunk or show interface switchport)
- deny port access to new device: denied MAC have already been learned on another interface in same VLAN
- conference room: port security on all interfaces WITH port-security maximum 1
VLAN
- enhance security +logical grouping by function
- add security + provides segmentation
- provides microsegmentation (decrease the number of collisions) - one collision domain per SW interface
- switch maintains a separate bridging table for each VLAN
- VLAN and VTP info is stored only in flash:vlan.dat (VTP server AND client)
and for VTP transparent in vlan.dat and statup-config
- VLAN and VTP info could be cleared with: erase start + delete flash:vlan.dat + reload
- port-security sticky: adds MAC to running-config
- if Native VLAN is not manually specified, then Native VLAN on trunk =1 (could appear error messages native VLAN mismatch)
- 802.1Q is not supported on any other Cisco 2600/3600 series 10BaseT Ethernet interface
Routing
- router does: packet switching + path selection
- if IP routing is enabled, gate of last resort can be set:
ip route 0..0 0..0 <nexthop IP> (static route)
OR ip default-network <net_number> (is used mostly with routing protocols, and is CLASSFULL)
- subnet zero could be used by entering in global: ip subnet-zero
- reliability - ussually refers to the bit error rate of each network link
- if QOS @ L4 is not maintened, start troubleshooting with L3 (network)
- private IP on internal network - to conserve public IPs
- static routing: traffic load is reduced in stub, security increases
- MTU (ethernet=1500bytes) -> max IP packet size
- router do filtering on L3, broadcast not forwarded (but NOT eliminated)
- UDP will pass info in order they arrive, if datagrams arrive out of sequence
EIGRP/OSPF
- OSPF can balance 4 maximum EQUAL cost path
- OSPF Area 0 is backcone area, multiple Areas must connect to Area 0
- totaly stub (LSA 1,2), totally NSSA (LSA 1,2,7), stub (LSA 1,2,3), NSSA (1,2,3,7), backbone or transit (LSA 1,2,3,4,5)
ACL
- packets are proccesed by an inbound ACL - before they are routed to an outbound interface
- dynamic ACL: offer simpler mgmt in large netw, authen. individual users
Frame relay
- BECN - congestion
- show frame-relay map - check the encapsulation type on the Cisco device
- encapsulation : cisco/ietf
- lmi : cisco/q933a/ansi (q933a aka Annex A, ansi aka annex-D)
- split-horizon is preventing R2 from learning R3 (RIPv2)
- point-to-point must have SAME IP subnet (different PPP connection must have diff subnet ranges)
- ppp: emulate leased lines + they require unique subnet within routing domain
WAN
- PPP CHAP: after link establishment + uses 3-way handshake
- modem or CSU/DSU can provide clock rate
IPv6
- every IPV6 interface contains at leaset one loopback int + single int may have multiple IPv6 add's of any type
- IPv6 addres contains 8 fields with 16 bits each (128 bits total)
- autoconfiguration, plug-and-play, no broadcast
- anycast: one-to nearest + same ip add for multiple devices + delivery of packets to closest to sending device
Troubleshooting/IOS
- if DHCP conflict: IP removed from pool, admin must resolve the conflict
- DHCP: host need periodically contact the DHCP server to renew the lease
- service timestamps log datetime msec - determine the timing of various debug events, relative to each other
- hierarchical addressing: reduces routing table + ease of mgmt and tblsh
- flash memory could be erased prior to upgrading the IOS image from the TFTP server, because is requested during the copy dialog
- show verison: shows the last method used to powercycle a router
- Inputs errors are caused by REMOTE switch incorrect duplex
- LED on catalyst is green AND amber - there are ERRORS
- service password-encryption: will encrypt ALL CURRENT and future passwords
- Setup (no if startup config found) is ADDITIVE
- confreg 0x2122 = boot from network (in dump), but @cisco.com:Boots into ROM if initial boot fails and 19200 console baud rate
- 100BASE-T is any of several Fast Ethernet standards for twisted pair cables, including: 100BASE-TX (100 Mbit/s over two-pair Cat5 or better cable), 100BASE-T4 (100 Mbit/s over four-pair Cat3 or better cable, defunct), 100BASE-T2 (100 Mbit/s over two-pair Cat3 or better cable, also defunct)
NAT
- Internet hosts may not initiate connections to DMZ because no translation may be exist in NAT translation (first DMZ need to make connections)
WiFi
- WPA is preffered over WEP - values of WPA key can change dynamically
- WPA - dyn encryption keys + auth by PSK
- ESS -> two APs should be in diff channels
- for only 802.11g -> disable speed: 1, 2, 5.5, 11 (from 1-11 which is 802.11b)
- WPAv1 is above WEP weaknesses: key temporal mixing + per frame sequnce counters
- WEP and TKIP are based in RC4 encryption algorithm
RIP/EIGRP/OSPF
__Timers__
hello/dead LAN WAN
OSPF 10/40 30/120
EIGRP 5/15 60/180
Routing Terminology
+ cost: a configurable value based by default on the bandwidth of the interface
+ load: the amount of activity on a network resource
+ bandwidth: the data capacity of a link
+ hop count: the number of point-to-point links in a transmission path
+ reliability: usually refers to the bit error rate of each network link
+ delay: the amount of time required to move a packet from source to destination
+ split horizon: This prevents sending information about a route back out the same interface that originally learned about the route
+ holddown timer: For a given period, this causes the router to ignore any updates with poorer metrics to a lost network
+ poison reverse: A router learns from its neighbor that a route is down and the router sends an update back to the neighbor with an infinite metric to that route
+ LSA: The packets flooded when a topology change occurs, causing network routers to update their topological databases and recalculate routes
CCNA FAQs
1) subnet-zero, the all-ones subnets
Use of for addressing has been discouraged in the past (info).
When a network address is subnetted, the first subnet obtained after subnetting the network address is called subnet-zero and the last subnet obtained is called the all-ones subnet.
ex: if 172.16.0.0/16 is subneted to 8 networks: 172.16.0.0/19 is subnet-zero network, 172.16.224.0 is the all-ones network.
Subnet zero could be used by entering the command in global configuration
router(config)#ip subnet-zero
2) BGP network vs aggregate-address
- network command is used to "advertise" networks into BGP table and for other BGP peers
while
- aggregate address is used to "reduce" the BGP table to less prefixes.
3) Redistribute (= import routes from)
- If the OSPF process is configured to advertise routes learned by the RIP process, it is said to be "redistributing RIP."
- You can use redistribute static to propagate a static default route with EIGRP.
Notice inside the routing table how it is listed as an externally learned EIGRP route with AD of 170.
R(config)#ip route 0.0.0.0 0.0.0.0 loopback 14) "ip unnumbered"
R(config)#router eigrp 1
R(config-router)#redistribute static
- allows to enable IP processing on a serial interface without assigning it an explicit IP address,
5) what is global command
command that is set once and affects the entire router (ie: # hostname R1)
6) Hub and spoke network (Routing, VPNs)
Types (more info):
- Hub and Spoke
- Full Mesh
- Partially Mesh.
In the hub-spoke network, each branch (the spoke) communicates with the main office (the hub) and also communicates with every other branch office only through the hub.
* There is one site (probably the main or corporate office) that has direct connection to all other sites; called "Hub"
* All other sites (usually remote offices or branches) only has a single connection to the Hub; called "Spoke"
* Hub-to-Spoke communication use the direct connection
* Spoke-to-Spoke communication must go through the Hub as "intermediate hop"
* Connection to external network (i.e. the Internet) only exists at the Hub
* Communication between Spoke and external network must go through the Hub
Tips:
* Since from Spoke perspective, traffic must go through Hub to reach other sites or external network; a single static route as default gateway pointing to Hub should be sufficient to cover all communication type
* From Hub perspective, traffic must go through each dedicated connection to reach specific Spoke or external network; a single static route as default gateway pointing to the external network (i.e. the ISP) and several static routes to reach Spokes should be sufficient to cover all communication type
* No need to run dynamic routing
* To have more resilient connection, bonded circuits (i.e. bonded T1/E1 circuits) between Hub and Spokes can be considered. Other consideration is to have redundant circuits between Hub and Spokes that are served by multiple ISP
* Hub network device should be the most powerful one compared to the Spoke network device since Hub must support traffic from all Spokes and the external network where the Spoke only support traffic within itself
* Should there future need to have backup connection beyond bonded circuit, refer to the next setup
7) ip default-gateway vs ip default-network
ip default-gateway
If you have a switch that is layer 3 manageable, and needs access to the internet - you configure the ip default-gateway, as the switch cannot run ip routing.
ip default gateway is used when there is no IP routing and you need to pass traffic to a layer 3 device, when the IP address is not on any attached/connected interfaces.
ip default network is used when you do have ip routing enabled, and the device considers the default network as the route to any ip address that is not on any attached/connected interfaces, or in its routing table.
A static route, installed with “ip route …” is only local on the router. It has the administrative distance of 1. A “ip default-network” is advertised with the routing protocol. The administrative distance is according to the used routing protocol. You can have more than one default network, so the gateway of last resort is determined according to the metric.
This is something that was carried over by IGRP as it is mostly important on classful routing protocols. Not a reality these days as we mostly deal with classless networks.
ip default-network works only for DV protocols (RIP,IGRP,EIGRP); for all, the network advertised with command "ip default-network" needs to be classfull(ip default-network 2.0.0.0 and NOT ip default-network 2.2.2.0).
No comments :
Post a Comment